@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -1,924 +0,0 @@
1
- import { Cv } from "@robelest/fx/convex";
2
- import { actionGeneric, mutationGeneric, queryGeneric } from "convex/server";
3
- import { ConvexError, v } from "convex/values";
4
-
5
- import type { AuthApi } from "./auth";
6
- import {
7
- enterpriseConnectionWhereValidator,
8
- enterpriseDomainInputValidator,
9
- enterpriseDomainVerificationInputValidator,
10
- enterprisePolicyPatchValidator,
11
- enterpriseSamlAttributeMappingValidator,
12
- enterpriseSamlSpValidator,
13
- enterpriseStatusValidator,
14
- } from "./enterprise/validators";
15
- import type { AuthAuthorizationConfig, AuthRoleId } from "./types";
16
-
17
- /**
18
- * Permission identifiers used by mounted enterprise admin APIs.
19
- *
20
- * These permission strings are passed to your {@link EnterpriseAuthorizer}
21
- * callback so app code can decide whether the current user may perform a
22
- * specific SSO or SCIM management operation.
23
- *
24
- * @example
25
- * ```ts
26
- * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
27
- * if (input.permission === "sso.connection.create") {
28
- * // Only org admins may create SSO connections
29
- * }
30
- * };
31
- * ```
32
- */
33
- export type EnterpriseAdminPermission =
34
- | "sso.connection.create"
35
- | "sso.connection.read"
36
- | "sso.connection.manage"
37
- | "sso.domain.manage"
38
- | "sso.protocol.manage"
39
- | "sso.policy.manage"
40
- | "sso.audit.read"
41
- | "sso.webhook.manage"
42
- | "scim.manage";
43
-
44
- /**
45
- * Input passed to an {@link EnterpriseAuthorizer}.
46
- *
47
- * Contains the acting user, the requested permission, and the resolved
48
- * enterprise/group scope for the operation being authorized.
49
- */
50
- export type EnterpriseAdminAuthorizationInput = {
51
- /** The signed-in user's ID performing the admin action. */
52
- userId: string;
53
- /** The {@link EnterpriseAdminPermission} being requested. */
54
- permission: EnterpriseAdminPermission;
55
- /** Enterprise document ID, if the operation targets a specific enterprise. */
56
- enterpriseId?: string;
57
- /** Group document ID, if explicitly provided by the caller. */
58
- groupId?: string;
59
- /** Resolved group ID from the enterprise record, or `null` when no enterprise context. */
60
- resolvedGroupId: string | null;
61
- };
62
-
63
- /**
64
- * App-defined authorization hook for mounted enterprise admin APIs.
65
- *
66
- * Return `void` (or resolve) to allow the operation, or throw to deny it.
67
- *
68
- * @param ctx - Convex context with `ctx.auth` for identity checks.
69
- * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.
70
- * @returns `void` to allow; throw to deny.
71
- *
72
- * @example
73
- * ```ts
74
- * import { EnterpriseAuthorizer } from "@robelest/convex-auth/server";
75
- *
76
- * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
77
- * const identity = await ctx.auth.getUserIdentity();
78
- * if (!identity) throw new Error("Forbidden");
79
- * // Allow all admin ops for the org owner
80
- * };
81
- * ```
82
- */
83
- export type EnterpriseAuthorizer = (
84
- ctx: { auth: import("convex/server").Auth },
85
- input: EnterpriseAdminAuthorizationInput,
86
- ) => Promise<void>;
87
-
88
- type RoleRef<TRoleId extends string> = { id: TRoleId };
89
-
90
- type MountedEnterpriseOptions<TRoleId extends string = string> = {
91
- admin?: {
92
- authorized?: EnterpriseAuthorizer;
93
- roles?: Array<TRoleId | RoleRef<TRoleId>>;
94
- };
95
- };
96
-
97
- /**
98
- * Configuration for {@link enterprise}, {@link sso}, and {@link scim}
99
- * mounted admin APIs.
100
- *
101
- * @typeParam TRoleId - Role IDs that may be assigned to enterprise creators.
102
- *
103
- * @example
104
- * ```ts
105
- * import { enterprise, EnterpriseMountOptions } from "@robelest/convex-auth/server";
106
- *
107
- * const options: EnterpriseMountOptions = {
108
- * admin: {
109
- * authorized: async (ctx, input) => {
110
- * // Verify the user has permission for `input.permission`
111
- * },
112
- * roles: ["admin", "owner"],
113
- * },
114
- * };
115
- * ```
116
- */
117
- export type EnterpriseMountOptions<TRoleId extends string = string> = {
118
- admin: {
119
- authorized: EnterpriseAuthorizer;
120
- roles?: Array<TRoleId | RoleRef<TRoleId>>;
121
- };
122
- };
123
-
124
- type MountedEnterpriseTarget = {
125
- enterpriseId?: string;
126
- groupId?: string;
127
- domain?: string;
128
- };
129
-
130
- function requireSignedInUser(auth: Pick<AuthApi, "context">) {
131
- return async (ctx: {
132
- auth: import("convex/server").Auth;
133
- }): Promise<string | null> => {
134
- return (await auth.context(ctx as never, { optional: true })).userId;
135
- };
136
- }
137
-
138
- function normalizeCreatorRoleIds<TRoleId extends string>(
139
- roles?: Array<TRoleId | RoleRef<TRoleId>>,
140
- ) {
141
- return roles?.map((role) => (typeof role === "string" ? role : role.id));
142
- }
143
-
144
- async function resolveMountedEnterpriseTarget(
145
- auth: Pick<AuthApi, "sso">,
146
- ctx: { auth: import("convex/server").Auth },
147
- target: MountedEnterpriseTarget,
148
- ) {
149
- if (target.groupId !== undefined) {
150
- return {
151
- enterpriseId: target.enterpriseId,
152
- groupId: target.groupId,
153
- resolvedGroupId: target.groupId,
154
- };
155
- }
156
-
157
- if (target.enterpriseId !== undefined) {
158
- const enterprise = await auth.sso.admin.connection.get(
159
- ctx as never,
160
- target.enterpriseId,
161
- );
162
- if (enterprise === null) {
163
- throw new ConvexError({
164
- code: "INVALID_PARAMETERS",
165
- message: "Enterprise not found.",
166
- });
167
- }
168
- return {
169
- enterpriseId: enterprise._id,
170
- groupId: enterprise.groupId,
171
- resolvedGroupId: enterprise.groupId,
172
- };
173
- }
174
-
175
- if (target.domain !== undefined) {
176
- const resolved = await auth.sso.admin.connection.getByDomain(
177
- ctx as never,
178
- target.domain,
179
- );
180
- if (resolved?.enterprise === undefined) {
181
- throw new ConvexError({
182
- code: "INVALID_PARAMETERS",
183
- message: "Enterprise not found.",
184
- });
185
- }
186
- return {
187
- enterpriseId: resolved.enterprise._id,
188
- groupId: resolved.enterprise.groupId,
189
- resolvedGroupId: resolved.enterprise.groupId,
190
- };
191
- }
192
-
193
- return {
194
- enterpriseId: undefined,
195
- groupId: undefined,
196
- resolvedGroupId: null,
197
- };
198
- }
199
-
200
- function createMountedAdminAuthorizer(
201
- auth: Pick<AuthApi, "context" | "sso">,
202
- options?: MountedEnterpriseOptions,
203
- ) {
204
- const requireUserId = requireSignedInUser(auth);
205
-
206
- return async (
207
- ctx: { auth: import("convex/server").Auth },
208
- permission: EnterpriseAdminPermission,
209
- target: MountedEnterpriseTarget = {},
210
- ) => {
211
- const userId = await requireUserId(ctx);
212
- if (userId === null) {
213
- throw Cv.error({
214
- code: "NOT_SIGNED_IN",
215
- message: "You must be signed in to perform this action.",
216
- });
217
- }
218
- if (!options?.admin?.authorized) {
219
- throw Cv.error({
220
- code: "FORBIDDEN",
221
- message: "Access denied.",
222
- });
223
- }
224
- const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
225
- await options.admin.authorized(ctx, {
226
- userId,
227
- permission,
228
- enterpriseId: resolved.enterpriseId,
229
- groupId: resolved.groupId,
230
- resolvedGroupId: resolved.resolvedGroupId,
231
- });
232
- return { userId, ...resolved };
233
- };
234
- }
235
-
236
- /**
237
- * Build optional public SSO management actions that apps can mount under
238
- * `convex/auth/sso/**` when they want client-callable enterprise APIs.
239
- *
240
- * `admin` is for tenant-admin control-plane operations and should be mounted
241
- * with an explicit authorization policy. `client` is for end-user sign-in
242
- * helpers and does not require tenant-admin authorization.
243
- *
244
- * @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.
245
- * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
246
- * @typeParam TAuthorization - Optional authorization config for typed role IDs.
247
- * @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,
248
- * audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.
249
- *
250
- * @example
251
- * ```ts
252
- * // convex/auth/sso.ts
253
- * import { sso } from "@robelest/convex-auth/server";
254
- * import { auth } from "../auth";
255
- *
256
- * const mounted = sso(auth, {
257
- * admin: {
258
- * authorized: async (ctx, input) => { /* check permissions *\/ },
259
- * },
260
- * });
261
- *
262
- * export const createConnection = mounted.admin.connection.create;
263
- * export const signIn = mounted.client.signIn;
264
- * ```
265
- *
266
- * @see {@link scim}
267
- * @see {@link enterprise}
268
- */
269
- export function sso<
270
- TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
271
- >(
272
- auth: Pick<
273
- AuthApi<TAuthorization>,
274
- "context" | "group" | "member" | "sso"
275
- >,
276
- options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
277
- ) {
278
- const authorize = createMountedAdminAuthorizer(auth, options);
279
- const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);
280
-
281
- return {
282
- admin: {
283
- connection: {
284
- create: mutationGeneric({
285
- args: {
286
- groupId: v.optional(v.string()),
287
- name: v.optional(v.string()),
288
- slug: v.optional(v.string()),
289
- status: v.optional(enterpriseStatusValidator),
290
- domain: v.optional(v.string()),
291
- },
292
- handler: async (ctx, args) => {
293
- const authResult = await authorize(ctx, "sso.connection.create", {
294
- groupId: args.groupId,
295
- });
296
- const { userId } = authResult;
297
- const createsGroup = args.groupId === undefined;
298
- const groupId =
299
- args.groupId ??
300
- (
301
- await auth.group.create(ctx as never, {
302
- name: args.name?.trim() || args.slug?.trim() || "Enterprise",
303
- slug: args.slug,
304
- type: "enterprise",
305
- })
306
- ).groupId;
307
- if (createsGroup) {
308
- await auth.member.create(ctx as never, {
309
- groupId,
310
- userId,
311
- roleIds: adminRoleIds,
312
- });
313
- }
314
- const created = await auth.sso.admin.connection.create(
315
- ctx as never,
316
- {
317
- groupId,
318
- name: args.name,
319
- slug: args.slug,
320
- status: args.status,
321
- },
322
- );
323
- if (args.domain) {
324
- await auth.sso.admin.connection.domain.set(
325
- ctx as never,
326
- created.enterpriseId,
327
- [{ domain: args.domain, isPrimary: true }],
328
- );
329
- }
330
- return {
331
- ...created,
332
- groupId,
333
- createdGroup: createsGroup,
334
- };
335
- },
336
- }),
337
- get: queryGeneric({
338
- args: { enterpriseId: v.string() },
339
- handler: async (ctx, args) => {
340
- await authorize(ctx, "sso.connection.read", {
341
- enterpriseId: args.enterpriseId,
342
- });
343
- return await auth.sso.admin.connection.get(
344
- ctx as never,
345
- args.enterpriseId,
346
- );
347
- },
348
- }),
349
- getByGroup: queryGeneric({
350
- args: { groupId: v.string() },
351
- handler: async (ctx, args) => {
352
- await authorize(ctx, "sso.connection.read", {
353
- groupId: args.groupId,
354
- });
355
- return await auth.sso.admin.connection.getByGroup(
356
- ctx as never,
357
- args.groupId,
358
- );
359
- },
360
- }),
361
- getByDomain: queryGeneric({
362
- args: { domain: v.string() },
363
- handler: async (ctx, args) => {
364
- await authorize(ctx, "sso.connection.read", {
365
- domain: args.domain,
366
- });
367
- return await auth.sso.admin.connection.getByDomain(
368
- ctx as never,
369
- args.domain,
370
- );
371
- },
372
- }),
373
- list: queryGeneric({
374
- args: {
375
- where: v.optional(enterpriseConnectionWhereValidator),
376
- limit: v.optional(v.number()),
377
- cursor: v.optional(v.union(v.string(), v.null())),
378
- orderBy: v.optional(v.string()),
379
- order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
380
- },
381
- handler: async (ctx, args) => {
382
- await authorize(ctx, "sso.connection.read", {
383
- groupId: args.where?.groupId,
384
- });
385
- return await auth.sso.admin.connection.list(
386
- ctx as never,
387
- args as never,
388
- );
389
- },
390
- }),
391
- update: mutationGeneric({
392
- args: {
393
- enterpriseId: v.string(),
394
- data: v.object({
395
- name: v.optional(v.string()),
396
- slug: v.optional(v.string()),
397
- status: v.optional(enterpriseStatusValidator),
398
- }),
399
- },
400
- handler: async (ctx, args) => {
401
- await authorize(ctx, "sso.connection.manage", {
402
- enterpriseId: args.enterpriseId,
403
- });
404
- await auth.sso.admin.connection.update(
405
- ctx as never,
406
- args.enterpriseId,
407
- args.data,
408
- );
409
- return { enterpriseId: args.enterpriseId };
410
- },
411
- }),
412
- delete: mutationGeneric({
413
- args: { enterpriseId: v.string() },
414
- handler: async (ctx, args) => {
415
- await authorize(ctx, "sso.connection.manage", {
416
- enterpriseId: args.enterpriseId,
417
- });
418
- return await auth.sso.admin.connection.delete(
419
- ctx as never,
420
- args.enterpriseId,
421
- );
422
- },
423
- }),
424
- status: queryGeneric({
425
- args: { enterpriseId: v.string() },
426
- handler: async (ctx, args) => {
427
- await authorize(ctx, "sso.connection.read", {
428
- enterpriseId: args.enterpriseId,
429
- });
430
- return await auth.sso.admin.connection.status(
431
- ctx as never,
432
- args.enterpriseId,
433
- );
434
- },
435
- }),
436
- domain: {
437
- list: queryGeneric({
438
- args: { enterpriseId: v.string() },
439
- handler: async (ctx, args) => {
440
- await authorize(ctx, "sso.connection.read", {
441
- enterpriseId: args.enterpriseId,
442
- });
443
- return await auth.sso.admin.connection.domain.list(
444
- ctx as never,
445
- args.enterpriseId,
446
- );
447
- },
448
- }),
449
- validate: queryGeneric({
450
- args: { enterpriseId: v.string() },
451
- handler: async (ctx, args) => {
452
- await authorize(ctx, "sso.domain.manage", {
453
- enterpriseId: args.enterpriseId,
454
- });
455
- return await auth.sso.admin.connection.domain.validate(
456
- ctx as never,
457
- args.enterpriseId,
458
- );
459
- },
460
- }),
461
- set: mutationGeneric({
462
- args: {
463
- enterpriseId: v.string(),
464
- domains: v.array(enterpriseDomainInputValidator),
465
- },
466
- handler: async (ctx, args) => {
467
- await authorize(ctx, "sso.domain.manage", {
468
- enterpriseId: args.enterpriseId,
469
- });
470
- return await auth.sso.admin.connection.domain.set(
471
- ctx as never,
472
- args.enterpriseId,
473
- args.domains,
474
- );
475
- },
476
- }),
477
- verification: {
478
- request: mutationGeneric({
479
- args: enterpriseDomainVerificationInputValidator,
480
- handler: async (ctx, args) => {
481
- await authorize(ctx, "sso.domain.manage", {
482
- enterpriseId: args.enterpriseId,
483
- });
484
- return await auth.sso.admin.connection.domain.verification.request(
485
- ctx as never,
486
- args,
487
- );
488
- },
489
- }),
490
- confirm: actionGeneric({
491
- args: enterpriseDomainVerificationInputValidator,
492
- handler: async (ctx, args) => {
493
- await authorize(ctx, "sso.domain.manage", {
494
- enterpriseId: args.enterpriseId,
495
- });
496
- return await auth.sso.admin.connection.domain.verification.confirm(
497
- ctx as never,
498
- args,
499
- );
500
- },
501
- }),
502
- },
503
- },
504
- },
505
- oidc: {
506
- configure: mutationGeneric({
507
- args: {
508
- enterpriseId: v.string(),
509
- issuer: v.optional(v.string()),
510
- discoveryUrl: v.optional(v.string()),
511
- clientId: v.string(),
512
- clientSecret: v.optional(v.string()),
513
- scopes: v.optional(v.array(v.string())),
514
- authorizationParams: v.optional(v.record(v.string(), v.string())),
515
- clockToleranceSeconds: v.optional(v.number()),
516
- strictIssuer: v.optional(v.boolean()),
517
- extraFields: v.optional(v.record(v.string(), v.string())),
518
- },
519
- handler: async (ctx, args) => {
520
- await authorize(ctx, "sso.protocol.manage", {
521
- enterpriseId: args.enterpriseId,
522
- });
523
- return await auth.sso.admin.oidc.configure(ctx as never, args);
524
- },
525
- }),
526
- get: queryGeneric({
527
- args: { enterpriseId: v.string() },
528
- handler: async (ctx, args) => {
529
- await authorize(ctx, "sso.connection.read", {
530
- enterpriseId: args.enterpriseId,
531
- });
532
- return await auth.sso.admin.oidc.get(
533
- ctx as never,
534
- args.enterpriseId,
535
- );
536
- },
537
- }),
538
- validate: actionGeneric({
539
- args: { enterpriseId: v.string() },
540
- handler: async (ctx, args) => {
541
- await authorize(ctx, "sso.protocol.manage", {
542
- enterpriseId: args.enterpriseId,
543
- });
544
- return await auth.sso.admin.oidc.validate(
545
- ctx as never,
546
- args.enterpriseId,
547
- );
548
- },
549
- }),
550
- },
551
- saml: {
552
- configure: actionGeneric({
553
- args: {
554
- enterpriseId: v.string(),
555
- metadataXml: v.optional(v.string()),
556
- metadataUrl: v.optional(v.string()),
557
- domains: v.optional(v.array(v.string())),
558
- signAuthnRequests: v.optional(v.boolean()),
559
- attributeMapping: v.optional(
560
- enterpriseSamlAttributeMappingValidator,
561
- ),
562
- sp: v.optional(enterpriseSamlSpValidator),
563
- },
564
- handler: async (ctx, args) => {
565
- await authorize(ctx, "sso.protocol.manage", {
566
- enterpriseId: args.enterpriseId,
567
- });
568
- return await auth.sso.admin.saml.configure(ctx as never, args);
569
- },
570
- }),
571
- validate: queryGeneric({
572
- args: { enterpriseId: v.string() },
573
- handler: async (ctx, args) => {
574
- await authorize(ctx, "sso.protocol.manage", {
575
- enterpriseId: args.enterpriseId,
576
- });
577
- return await auth.sso.admin.saml.validate(
578
- ctx as never,
579
- args.enterpriseId,
580
- );
581
- },
582
- }),
583
- },
584
- policy: {
585
- get: queryGeneric({
586
- args: { enterpriseId: v.string() },
587
- handler: async (ctx, args) => {
588
- await authorize(ctx, "sso.connection.read", {
589
- enterpriseId: args.enterpriseId,
590
- });
591
- return await auth.sso.admin.policy.get(
592
- ctx as never,
593
- args.enterpriseId,
594
- );
595
- },
596
- }),
597
- update: mutationGeneric({
598
- args: {
599
- enterpriseId: v.string(),
600
- patch: enterprisePolicyPatchValidator,
601
- },
602
- handler: async (ctx, args) => {
603
- await authorize(ctx, "sso.policy.manage", {
604
- enterpriseId: args.enterpriseId,
605
- });
606
- return await auth.sso.admin.policy.update(
607
- ctx as never,
608
- args.enterpriseId,
609
- args.patch,
610
- );
611
- },
612
- }),
613
- validate: queryGeneric({
614
- args: { enterpriseId: v.string() },
615
- handler: async (ctx, args) => {
616
- await authorize(ctx, "sso.policy.manage", {
617
- enterpriseId: args.enterpriseId,
618
- });
619
- return await auth.sso.admin.policy.validate(
620
- ctx as never,
621
- args.enterpriseId,
622
- );
623
- },
624
- }),
625
- },
626
- audit: {
627
- list: queryGeneric({
628
- args: {
629
- enterpriseId: v.optional(v.string()),
630
- groupId: v.optional(v.string()),
631
- limit: v.optional(v.number()),
632
- },
633
- handler: async (ctx, args) => {
634
- await authorize(ctx, "sso.audit.read", {
635
- enterpriseId: args.enterpriseId,
636
- groupId: args.groupId,
637
- });
638
- return await auth.sso.admin.audit.list(ctx as never, args);
639
- },
640
- }),
641
- },
642
- webhook: {
643
- delivery: {
644
- list: queryGeneric({
645
- args: {
646
- enterpriseId: v.string(),
647
- limit: v.optional(v.number()),
648
- },
649
- handler: async (ctx, args) => {
650
- await authorize(ctx, "sso.webhook.manage", {
651
- enterpriseId: args.enterpriseId,
652
- });
653
- return await (auth.sso.admin.webhook as any).delivery.list(
654
- ctx as never,
655
- args,
656
- );
657
- },
658
- }),
659
- },
660
- endpoint: {
661
- create: mutationGeneric({
662
- args: {
663
- enterpriseId: v.string(),
664
- url: v.string(),
665
- secret: v.string(),
666
- subscriptions: v.array(v.string()),
667
- createdByUserId: v.optional(v.string()),
668
- },
669
- handler: async (ctx, args) => {
670
- const authResult = await authorize(ctx, "sso.webhook.manage", {
671
- enterpriseId: args.enterpriseId,
672
- });
673
- const { userId } = authResult;
674
- const result = await auth.sso.admin.webhook.endpoint.create(
675
- ctx as never,
676
- {
677
- ...args,
678
- createdByUserId: args.createdByUserId ?? userId,
679
- },
680
- );
681
- return {
682
- _id: result.endpointId,
683
- enterpriseId: args.enterpriseId,
684
- url: args.url,
685
- subscriptions: args.subscriptions,
686
- createdByUserId: args.createdByUserId ?? userId,
687
- status: "active",
688
- failureCount: 0,
689
- };
690
- },
691
- }),
692
- list: queryGeneric({
693
- args: { enterpriseId: v.string() },
694
- handler: async (ctx, args) => {
695
- await authorize(ctx, "sso.webhook.manage", {
696
- enterpriseId: args.enterpriseId,
697
- });
698
- const endpoints = await auth.sso.admin.webhook.endpoint.list(
699
- ctx as never,
700
- args.enterpriseId,
701
- );
702
- return endpoints.map((endpoint: Record<string, unknown>) => {
703
- const { secretHash: _secretHash, ...rest } = endpoint;
704
- return rest;
705
- });
706
- },
707
- }),
708
- disable: mutationGeneric({
709
- args: { endpointId: v.string() },
710
- handler: async (ctx, args) => {
711
- const endpoint = await auth.sso.admin.webhook.endpoint.get(
712
- ctx as never,
713
- args.endpointId,
714
- );
715
- if (!endpoint) {
716
- throw Cv.error({
717
- code: "INVALID_PARAMETERS",
718
- message: "Webhook endpoint not found.",
719
- });
720
- }
721
- await authorize(ctx, "sso.webhook.manage", {
722
- enterpriseId: endpoint.enterpriseId,
723
- groupId: endpoint.groupId,
724
- });
725
- return await auth.sso.admin.webhook.endpoint.disable(
726
- ctx as never,
727
- args.endpointId,
728
- );
729
- },
730
- }),
731
- },
732
- },
733
- },
734
- client: {
735
- signIn: queryGeneric({
736
- args: {
737
- enterpriseId: v.optional(v.string()),
738
- email: v.optional(v.string()),
739
- domain: v.optional(v.string()),
740
- redirectTo: v.optional(v.string()),
741
- },
742
- handler: async (ctx, args) => {
743
- return await auth.sso.client.signIn(ctx as never, args);
744
- },
745
- }),
746
- metadata: queryGeneric({
747
- args: {
748
- enterpriseId: v.string(),
749
- entityId: v.optional(v.string()),
750
- acsUrl: v.optional(v.string()),
751
- sloUrl: v.optional(v.string()),
752
- },
753
- handler: async (ctx, args) => {
754
- return await auth.sso.client.metadata(ctx as never, args);
755
- },
756
- }),
757
- },
758
- };
759
- }
760
-
761
- /**
762
- * Build optional public SCIM management actions that apps can mount under
763
- * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
764
- *
765
- * @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.
766
- * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
767
- * @typeParam TAuthorization - Optional authorization config for typed role IDs.
768
- * @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.
769
- *
770
- * @example
771
- * ```ts
772
- * // convex/auth/scim.ts
773
- * import { scim } from "@robelest/convex-auth/server";
774
- * import { auth } from "../auth";
775
- *
776
- * const mounted = scim(auth, {
777
- * admin: {
778
- * authorized: async (ctx, input) => { /* check permissions *\/ },
779
- * },
780
- * });
781
- *
782
- * export const configure = mounted.admin.configure;
783
- * export const get = mounted.admin.get;
784
- * export const validate = mounted.admin.validate;
785
- * ```
786
- *
787
- * @see {@link sso}
788
- * @see {@link enterprise}
789
- */
790
- export function scim<
791
- TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
792
- >(
793
- auth: Pick<AuthApi<TAuthorization>, "context" | "scim" | "sso">,
794
- options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
795
- ) {
796
- const authorize = createMountedAdminAuthorizer(auth, options);
797
-
798
- return {
799
- admin: {
800
- configure: mutationGeneric({
801
- args: {
802
- enterpriseId: v.string(),
803
- basePath: v.optional(v.string()),
804
- status: v.optional(enterpriseStatusValidator),
805
- },
806
- handler: async (ctx, args) => {
807
- await authorize(ctx, "scim.manage", {
808
- enterpriseId: args.enterpriseId,
809
- });
810
- return await auth.scim.admin.configure(ctx as never, args);
811
- },
812
- }),
813
- get: queryGeneric({
814
- args: { enterpriseId: v.string() },
815
- handler: async (ctx, args) => {
816
- await authorize(ctx, "scim.manage", {
817
- enterpriseId: args.enterpriseId,
818
- });
819
- return await auth.scim.admin.get(ctx as never, args.enterpriseId);
820
- },
821
- }),
822
- validate: queryGeneric({
823
- args: { enterpriseId: v.string() },
824
- handler: async (ctx, args) => {
825
- await authorize(ctx, "scim.manage", {
826
- enterpriseId: args.enterpriseId,
827
- });
828
- return await auth.scim.admin.validate(
829
- ctx as never,
830
- args.enterpriseId,
831
- );
832
- },
833
- }),
834
- },
835
- };
836
- }
837
-
838
- /**
839
- * Build a flat mounted enterprise API surface for app-owned Convex exports.
840
- *
841
- * Combines {@link sso} and {@link scim} into a single flat object with
842
- * all SSO connection, protocol, policy, audit, webhook, and SCIM
843
- * management functions plus end-user sign-in helpers. The `authorized`
844
- * callback is required for all admin operations.
845
- *
846
- * @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.
847
- * @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.
848
- * @typeParam TAuthorization - Optional authorization config for typed role IDs.
849
- * @returns A flat object with all enterprise management functions (e.g. `createConnection`,
850
- * `configureOidc`, `configureScim`, `signIn`, etc.).
851
- *
852
- * @example
853
- * ```ts
854
- * // convex/auth/enterprise.ts
855
- * import { enterprise } from "@robelest/convex-auth/server";
856
- * import { auth } from "../auth";
857
- *
858
- * const api = enterprise(auth, {
859
- * admin: {
860
- * authorized: async (ctx, input) => { /* check permissions *\/ },
861
- * roles: ["admin"],
862
- * },
863
- * });
864
- *
865
- * export const createConnection = api.createConnection;
866
- * export const configureOidc = api.configureOidc;
867
- * export const signIn = api.signIn;
868
- * ```
869
- *
870
- * @see {@link sso}
871
- * @see {@link scim}
872
- */
873
- export function enterprise<
874
- TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
875
- >(
876
- auth: Pick<
877
- AuthApi<TAuthorization>,
878
- "context" | "group" | "member" | "scim" | "sso"
879
- >,
880
- options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>,
881
- ) {
882
- const mountedSso = sso(auth, {
883
- admin: options.admin,
884
- });
885
- const mountedScim = scim(auth, {
886
- admin: { authorized: options.admin.authorized },
887
- });
888
-
889
- return {
890
- createConnection: mountedSso.admin.connection.create,
891
- getConnection: mountedSso.admin.connection.get,
892
- getConnectionByGroup: mountedSso.admin.connection.getByGroup,
893
- getConnectionByDomain: mountedSso.admin.connection.getByDomain,
894
- listConnections: mountedSso.admin.connection.list,
895
- updateConnection: mountedSso.admin.connection.update,
896
- deleteConnection: mountedSso.admin.connection.delete,
897
- getConnectionStatus: mountedSso.admin.connection.status,
898
- listDomains: mountedSso.admin.connection.domain.list,
899
- validateDomains: mountedSso.admin.connection.domain.validate,
900
- setDomains: mountedSso.admin.connection.domain.set,
901
- requestDomainVerification:
902
- mountedSso.admin.connection.domain.verification.request,
903
- confirmDomainVerification:
904
- mountedSso.admin.connection.domain.verification.confirm,
905
- configureOidc: mountedSso.admin.oidc.configure,
906
- getOidc: mountedSso.admin.oidc.get,
907
- validateOidc: mountedSso.admin.oidc.validate,
908
- configureSaml: mountedSso.admin.saml.configure,
909
- validateSaml: mountedSso.admin.saml.validate,
910
- getPolicy: mountedSso.admin.policy.get,
911
- updatePolicy: mountedSso.admin.policy.update,
912
- validatePolicy: mountedSso.admin.policy.validate,
913
- listAudit: mountedSso.admin.audit.list,
914
- createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
915
- listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
916
- listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,
917
- disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
918
- configureScim: mountedScim.admin.configure,
919
- getScim: mountedScim.admin.get,
920
- validateScim: mountedScim.admin.validate,
921
- signIn: mountedSso.client.signIn,
922
- metadata: mountedSso.client.metadata,
923
- };
924
- }